From: Chuck Lever <chuck.lever@oracle.com>
To: kdevops@lists.linux.dev
Cc: Luis Chamberlain <mcgrof@kernel.org>, cel@kernel.org
Subject: Re: [RFC PATCH] terraform/OCI: Grab secrets from ~/.oci/config
Date: Thu, 3 Apr 2025 13:55:27 -0400 [thread overview]
Message-ID: <7e0c498d-6838-446d-b799-276cb2dbda87@oracle.com> (raw)
In-Reply-To: <20250403144906.1186015-1-cel@kernel.org>
On 4/3/25 10:49 AM, cel@kernel.org wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
>
> Instead of storing authentication secrets in the kdevops .config
> file, pull them from the authentication profiles already set up
> in ~/.oci/config. This arrangement is more secure.
>
> terraform's API authentication is now managed outside of Kconfig,
> as is done with AWS. An update to docs/kdevops-terraform.md to
> follow.
>
> Suggested-by: Luis Chamberlain <mcgrof@kernel.org>
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> .../templates/oci/terraform.tfvars.j2 | 5 +---
> scripts/terraform.Makefile | 4 ---
> terraform/oci/kconfigs/Kconfig.identity | 27 +++++++------------
> terraform/oci/provider.tf | 7 ++---
> terraform/oci/vars.tf | 25 ++++-------------
> 5 files changed, 17 insertions(+), 51 deletions(-)
>
> The tenancy OCID, user OCID, fingerprint, and private key path
> Kconfig settings would no longer be needed. This patch fits
> somewhere in the middle of the 00/31 series, replacing several of
> those patches.
It appears that, though undocumented, terraform's azurerm provider can
also pull its authentication material from a home directory dot file
(~/.azure/azureProfile.json). Proof-of-concept tested and working.
Google already works this way. So we can use the "secrets are stored
outside of kdevops' .config file" for all four major cloud providers.
> diff --git a/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2 b/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2
> index f7b9ffb48c64..73b963230882 100644
> --- a/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2
> +++ b/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2
> @@ -1,8 +1,5 @@
> oci_region = "{{ terraform_oci_region }}"
> -oci_tenancy_ocid = "{{ terraform_oci_tenancy_ocid }}"
> -oci_user_ocid = "{{ terraform_oci_user_ocid }}"
> -oci_user_private_key_path = "{{ terraform_oci_user_private_key_path }}"
> -oci_user_fingerprint = "{{ terraform_oci_user_fingerprint }}"
> +oci_config_file_profile = "{{ terraform_oci_config_file_profile }}"
> oci_availablity_domain = "{{ terraform_oci_availablity_domain }}"
> oci_compartment_ocid = "{{ terraform_oci_compartment_ocid }}"
> oci_shape = "{{ terraform_oci_shape }}"
> diff --git a/scripts/terraform.Makefile b/scripts/terraform.Makefile
> index 3235c1af84b9..75ba9b97b518 100644
> --- a/scripts/terraform.Makefile
> +++ b/scripts/terraform.Makefile
> @@ -96,10 +96,6 @@ endif
>
> ifeq (y,$(CONFIG_TERRAFORM_OCI))
> TERRAFORM_EXTRA_VARS += terraform_oci_region=$(subst ",,$(CONFIG_TERRAFORM_OCI_REGION))
> -TERRAFORM_EXTRA_VARS += terraform_oci_tenancy_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_TENANCY_OCID))
> -TERRAFORM_EXTRA_VARS += terraform_oci_user_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_OCID))
> -TERRAFORM_EXTRA_VARS += terraform_oci_user_private_key_path=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_PRIVATE_KEY_PATH))
> -TERRAFORM_EXTRA_VARS += terraform_oci_user_fingerprint=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_FINGERPRINT))
> TERRAFORM_EXTRA_VARS += terraform_oci_availablity_domain=$(subst ",,$(CONFIG_TERRAFORM_OCI_AVAILABLITY_DOMAIN))
> TERRAFORM_EXTRA_VARS += terraform_oci_compartment_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_COMPARTMENT_OCID))
> TERRAFORM_EXTRA_VARS += terraform_oci_shape=$(subst ",,$(CONFIG_TERRAFORM_OCI_SHAPE))
> diff --git a/terraform/oci/kconfigs/Kconfig.identity b/terraform/oci/kconfigs/Kconfig.identity
> index 928c700d9bd4..dce8f3bb54d9 100644
> --- a/terraform/oci/kconfigs/Kconfig.identity
> +++ b/terraform/oci/kconfigs/Kconfig.identity
> @@ -5,23 +5,14 @@ config TERRAFORM_OCI_TENANCY_OCID
> Read this:
> https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
>
> -config TERRAFORM_OCI_USER_OCID
> - string "OCI user OCID"
> +config TERRAFORM_OCI_CONFIG_FILE_PROFILE
> + string "Authentication profile entry"
> + output yaml
> + default "DEFAULT"
> help
> - The OCI ID of the user to use.
> - Read this:
> - https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
> + Authentication secrets are stored in ~/.oci/config. That
> + file may contain more than one entry/identity. Select the
> + entry in ~/.oci/config that kdevops uses to
> + authenticate to OCI. Examples:
>
> -config TERRAFORM_OCI_USER_PRIVATE_KEY_PATH
> - string "OCI user private key path"
> - help
> - Path to the file containing the private key of the user.
> - Read this:
> - https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
> -
> -config TERRAFORM_OCI_USER_FINGERPRINT
> - string "OCI user fingerprint"
> - help
> - Fingerprint for the key pair being used.
> - Read this:
> - https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
> + https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htm
> diff --git a/terraform/oci/provider.tf b/terraform/oci/provider.tf
> index 80361d3ac562..c4619e244d73 100644
> --- a/terraform/oci/provider.tf
> +++ b/terraform/oci/provider.tf
> @@ -2,9 +2,6 @@ terraform {
> }
>
> provider "oci" {
> - tenancy_ocid = var.oci_tenancy_ocid
> - user_ocid = var.oci_user_ocid
> - private_key_path = var.oci_user_private_key_path
> - fingerprint = var.oci_user_fingerprint
> - region = var.oci_region
> + config_file_profile = var.oci_config_file_profile
> + region = var.oci_region
> }
> diff --git a/terraform/oci/vars.tf b/terraform/oci/vars.tf
> index 4c6383d9b231..9e67ee9a8959 100644
> --- a/terraform/oci/vars.tf
> +++ b/terraform/oci/vars.tf
> @@ -1,28 +1,13 @@
> +variable "oci_config_file_profile" {
> + description = "Entry in ~/.oci/config to use for API authentication"
> + type = string
> +}
> +
> variable "oci_region" {
> description = "An OCI region"
> type = string
> }
>
> -variable "oci_tenancy_ocid" {
> - description = "OCID of your tenancy"
> - type = string
> -}
> -
> -variable "oci_user_ocid" {
> - description = "OCID of the user calling the API"
> - type = string
> -}
> -
> -variable "oci_user_private_key_path" {
> - description = "The path of the private key stored on your computer"
> - type = string
> -}
> -
> -variable "oci_user_fingerprint" {
> - description = "Fingerprint for the key pair being used"
> - type = string
> -}
> -
> variable "oci_availablity_domain" {
> description = "Name of availability domain"
> type = string
--
Chuck Lever
next prev parent reply other threads:[~2025-04-03 17:55 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 14:49 [RFC PATCH] terraform/OCI: Grab secrets from ~/.oci/config cel
2025-04-03 17:55 ` Chuck Lever [this message]
2025-04-04 15:52 ` Luis Chamberlain
2025-04-04 16:10 ` Chuck Lever
2025-04-04 18:06 ` Luis Chamberlain
2025-04-04 18:24 ` Chuck Lever
2025-04-04 18:28 ` Luis Chamberlain
2025-04-04 18:35 ` Chuck Lever
2025-04-04 19:19 ` Luis Chamberlain
2025-04-04 20:34 ` Chuck Lever
2025-04-04 15:49 ` Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7e0c498d-6838-446d-b799-276cb2dbda87@oracle.com \
--to=chuck.lever@oracle.com \
--cc=cel@kernel.org \
--cc=kdevops@lists.linux.dev \
--cc=mcgrof@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox